Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
What business leaders need to know about PQC, IoT, and AI security
With 2023 coming to a close, we're
rapidly approaching a new era of security. In the past year, generative
AI has taken the world by storm, touching nearly every aspect of our personal
and professional lives in one way or another. Connected devices continue to
blend the physical and digital worlds in exciting new ways as more product
designers, equipment manufacturers, and businesses adopt IoT technology than
ever before. And, 2024 also marks the year that NIST's three new algorithms will
be expected to be ready for use, at which point organizations around the world
can start integrating them into their encryption infrastructure.
These developments - while exciting -
add to the complexity of our current security landscape. As we charge ahead
into the new year, it will be important for businesses leaders to educate
themselves on what's next in these three spheres - post-quantum computing
(PQC), IoT, and AI - so they can take the steps needed to protect their
business, their people, and their consumers as the security landscape continues
to evolve.
Read on for the top predictions and
trends from three eminent thought leaders at Keyfactor - Chris Hickman, the company's CSO, on
adopting new PQC algorithms; Ellen Boehm, SVP of IoT Strategy
and Operations, on preparing for stronger IoT device security; and Ryan Sanders, Sr. Director of
Product and Strategy, on ensuring authenticity as AI-generated content becomes
more engrained in our daily lives.
Chris Hickman, CSO,
Keyfactor:
Significant planning and testing will
be needed to adopt new PQC algorithms
One of the biggest concerns with
quantum computing is its potential to break cryptography. Luckily, NIST plans
to finalize standardized PQC algorithms in early 2024. But organizations need
to remember that this marks just the starting line for PQC algorithms. Once the
algorithms become standardized - then products, developers and everyone can
start using them with some confidence that they are supported to protect
cryptography in a post quantum world. It should also allow for greater
interoperability. However, organizations will need to undergo significant
testing and planning to adopt these new algorithms, as they differ entirely
from the ones currently used in asymmetric cryptography.
Quantum ready cryptography will also
require longer key sizes. This is a concern because many of today's devices
have limited memory and/or processing resources.
In 2024, organizations must start
planning and testing to adopt NIST's new PQC algorithms. Additionally, they
must begin assessments on how prepared the entire supply chain for their
organization is/will be, which is equally important. It will be imperative for
security assessments and vendor audits to begin taking PQC into account.
Ellen Boehm, SVP, IoT
Strategy and Operations, Keyfactor:
U.S. Cyber Trust Mark is a big step in
preventing cyberattacks on smart devices
As we creep closer to the launch date
of the U.S. Cyber Trust Mark labeling program, which is expected to launch in
2024, we're taking a big step as an industry in helping Americans more easily
choose smart devices that are safer and less vulnerable to cyberattacks. While
there are still some concerns about the scope and implementation of the new
program, it is a step in the right direction. With this labeling program, we're
acknowledging that there is a gap in cybersecurity awareness and we need to make
consumers more aware of risks.
As consumers, when we make a purchase,
we expect a certain level of quality and safety in our products. This consumer
expectation also holds true for the security protocols embedded inside the
smart home tech and connected devices they choose to use. As with any new
program there will be iterations, but the launch provides a starting point for
this very important conversation to happen, which will in turn start to drive
more awareness of the security of our smart devices on a national level for US
consumers.
Cryptography will become essential to
ensure the integrity of IoT devices
Similar to how AI has accelerated
marketing content, AI will help developers iterate faster on designs and
innovate features that might not have been possible through standard
methods. The challenge with using any AI engine always comes back to
proving the origin, authenticity, and record of how code has changed over time.
This is where the new security vulnerabilities could be introduced into IoT
products, if AI-based code development leverages an unknown source.
Establishing PKI-based trust and using
proper code signing will be crucial. PKI ensures data confidentiality through
advanced encryption techniques, providing the essential backbone of internet
security, while code signing is one form of these cryptographic methods
developers can use to prove that a piece of software is authentic. By digitally
signing apps, software, or embedded firmware with a private key, the proof is
provided to end-users that the code originates from a trusted and legitimate
source and that it hasn't been tampered with since it was published. Combined,
PKI and code signing are the most effective security measures to ensure the
integrity of devices from activation through firmware and software
updates.
Establishing crypto-agile processes
for long-lived IoT devices today will be necessary to prepare for future
threats
Post quantum cryptography (PQC) is
going to change the way that we look at underlying cryptography and how we
encrypt our devices - both in the enterprise and in IoT. It's important for IoT
OEMs and operators to understand the implications of the design of their
products and systems to be able to be flexible to implement strong security
today with classical algorithms, while at the same time being prepared to
switch to post quantum crypto when available. For long-lived devices that are
going into operation today, OEMs will need to focus on establishing processes
that will enable them to become crypto-agile - meaning they can ensure a rapid
response to a cryptographic threat. Only IoT developers who possess
crypto-agility will be prepared for the future changing landscape.
Ryan Sanders, Sr.
Director of Product and Strategy, Keyfactor:
To ensure AI-generated content and
code authenticity, digital signatures will become critical
Like any disruptive technology, AI is
a double-edged sword. AI has been around for a long time; the difference now is
one word: availability. Any new technology is initially expensive, not widely
available, and sometimes, too complex for the average person. Generative AI and
large language models were the accelerators that overcame these hurdles, making
AI affordable, usable and accessible to everyone. That's where the problems
come in. There's no standard (yet) for how AI should be used, what AI should
have access to, and how to prevent misuse. AI can be a co-pilot or assistant
for cybersecurity teams, helping them work more efficiently and make better
sense of the flood of alerts and risk warnings they deal with on a daily basis.
On the other hand, AI can be used to produce fraudulent images or videos,
accelerate malware production, or even take DDoS attacks to the next level by
enabling AI-powered bots to do the dirty work.
One area where we're most concerned
when it comes to AI is content and code authenticity. In a world where AI is
accessible to all, how do you know if an image or video was produced by a human
or AI? How do you know if it's been augmented? How do you know when and where
it was taken? All of these are important questions, particularly in the face of
recent conflicts, which have raised questions about authenticity, and show the
dangers of potential misinformation or even disinformation via content that spreads
like wildfire on social media. The same also applies to software development.
If teams augment development with AI, how do you know the source of your code?
How do you know if it's been tampered with or altered?
Digital signatures are one of the best
current methods to prove the origin and authenticity of images and videos, as
well as to prove the integrity and authenticity of code. All of these - images,
videos, and software - are intellectual property that must be protected. We're
now living in a world where we can't immediately trust what we see and hear.
Everything must be verified. Authenticity is the key to establishing trust in
an otherwise untrusting world.
##
ABOUT THE AUTHORS
Chris Hickman
Chris Hickman is CSO at
Keyfactor. As a member of the senior management team, Chris is responsible for
establishing & maintaining Keyfactor's leadership position as a
world-class, technical organization with deep security industry expertise.
Ellen Boehm
Ellen Boehm is SVP of IoT
strategy and operations at Keyfactor. She has over 15 years' experience in
leading new product development with a focus on IoT and connected products in
lighting controls, smart cities, connected buildings and smart home technology.
Ryan Sanders
Ryan Sanders is senior
director of product and strategy at Keyfactor. Ryan is passionate about
cybersecurity and actively analyzes the latest compliance mandates, market
trends, and industry best practices related to public key infrastructure (PKI)
and digital certificates. Based in Toronto, Ryan has been an integral member of
the Keyfactor team for five years.